Terms of Reference
Computer Security Team
Terms of Reference
Approved by ISC - June 2007
terms of reference have been drafted in response to a recommendation
(see appendix A) in the audit carried out by UCL Internal Audit on the
UCL Computer Security Team (CST) in 2006.
The UCL Computer Security Team (CST)
UCL Computer Security Team has an institutional responsibility for
improving the security of UCL's information infrastructure and
minimizing the risk of damage caused by unauthorized use. The existence
of a specialist team, with dedicated resources, represents a commitment
on the part of UCL to ensuring its information assets are appropriately
Role and Scope of UCL Computer Security Team
The CST has four main roles in protecting UCL's information assets:
• Incident response - to manage UCL's response to incidents involving actual, incipient or potential security breaches or vulnerabilities
• Policies and procedures - to play a lead role in defining UCL's policies and procedures regarding the security of UCL's electronic information. These policies are designed to protect IT systems and their data from inadvertent or malicious attack and to ensure compliance with the relevant prevailing legislation.
• Awareness and training - to disseminate and promote general understanding of security issues and policies, to raise awareness of individual responsibilities in these areas, and to embed the relevant procedures into working practices
• Prevention - to be aware of the latest information and best practice on security issues and, working with colleagues across UCL, to ensure that UCL is pro-active in preventing security breaches
The CST co-ordinates the handling of security incidents within UCL, liaising between departments and external organizations to provide technical support in response to, or for the prevention of, security incidents, to isolate problems and to assist in recovery after an incident has occurred. CST is the primary contact with external agencies such as JANET-CERT, the police and security auditors. An important part of incident handling is to gather statistics on the number and rate of security-related incidents.
As part of the incident response function, CST detects and investigates breaches of security, including forensic analysis of systems if necessary. Forensic analysis will be done only in cases of a suspected or actual breach of the Information Security Policy.
Policies and procedures
Another critical area of activity is UCL's Information Security policy, which impinges on the working practices of staff and students across the whole of UCL.
The CST submits proposals on security policy for discussion with the Security Working Group which then makes recommendations, through the ICT Infrastructure Sub-Committee (ICTISC), to the Information Strategy Committee (ISC).
UCL's information security policies provide the context for the team's activities, as well as setting out general responsibilities for security which apply to all staff and students. Such policies need to be kept up to date with the relevant prevailing legislation.
For all UCL development projects likely to have significant security implications, the CST will advise and collaborate with Project Managers on relevant security issues at the project initiation stage and at any points where proposed changes might have security implications .
Awareness and Training
One of the CST's roles is to raise awareness of IT security issues through dissemination and training and to ensure that appropriate information reaches all sections of the UCL community. This will include routine briefings on security issues with the Heads of the Corporate Support Service Divisions.
The CST will, when it deems necessary and in consultation with the relevant service owners, conduct or commission information security reviews of particular systems at an appropriate depth.
The CST provides the following services to the UCL community as part of its activities outlined above and other day-to-day business:
• dissemination of security information
• training and education
• analyzing and evaluating the vulnerability of UCL systems to security attacks
• assessment of security risks
• detecting and investigating breaches of security, including forensic analysis if necessary
• checking systems for compliance with established security standards
• consultancy on security issues
facilitate their work, members of the CST have the right to access near
real-time operational data for purposes such as analyzing trends,
providing indicators of imminent security problems and detecting
The CST is responsible for enforcing UCL's Information Security Policy in liaison with departmental IT technical support staff, where they exist.
CST may authorize/carry out monitoring or access to stored material in pursuance of security issues in accordance with the UCL policy on monitoring computer and network use.
In developing its plans and strategies, the CST will consult with the SWG which will make recommendations to the ISC through ICTISC.
CST is a service to UCL as an institution. The Head of the CST reports
to the Head of EISD, with a second reporting line to the Vice-Provost
(Administration) in cases of possible conflict of interest or where the
authority and guidance of the Vice-Provost is needed, should a request
for regulatory or policy compliance be challenged. For day to day
purposes, the Head of CST reports to the Head of Information Systems.
Authority and Access
The CST's effectiveness requires that it has the authority to work across UCL within the framework of the institution's agreed policies as ratified by ISC. This may in some cases entail the team taking emergency action to mitigate actual or potential damage through security breaches.
The CST has the authority to require that insecure systems be taken off the UCL network and any failures to comply will be referred to the Director of EISD.
there is a reasonable right to know, CST staff should have unrestricted
access to all records, computing equipment and other assets, personnel,
and premises, and be authorized to obtain from any member of UCL staff
such information and explanation as they consider necessary to carry
out their responsibilities. These access rights apply to any equipment
directly connected to the UCL network irrespective of ownership, in
accordance with the UCL Information Security Policy and supporting
Standards and guidelines for CST activities
The work of UCL CST will be performed in accordance with relevant standards and codes of practice for work of incident response teams and all UCL policies and procedures.
UCL CST will conduct its
incident handling in accordance with general guidelines for incident
response teams and ensuring that JANET requirements are satisfied.
The Head of CST will be an ex officio member of the Security Working Group (SWG) and the ICT Infrastructure Sub-Committee (ICTISC) and will be on the circulation list for the papers of the Administrative Systems Sub-Committee. The Head of the CST will provide an annual report to the SWG relating to these terms of reference. Data on security incidents will be collected regularly to enable the analysis of trends.
The SWG's terms of reference are at http://www.ucl.ac.uk/cert/swg/terms.html .
Under some circumstances, the CST will need to pass on information to
the SWG, members of which are under a duty of confidentiality.
Wherever and whenever possible, UCL CST will liaise and co-ordinate plans and activities with Heads of Departments and/or departmental security contacts.
The CST will be advised by Senior
Management of any security review which may have an impact on the work
of CST - and wherever possible the CST will rely on the work of other
auditors and reviews by external agencies to minimise duplication of
effort and reduce overlap of coverage.
UCL CST Staff
The Head of CST will be responsible for all aspects of delivering the CST functions within UCL. The CST is the first point of contact for all staff on any matter relating to Information Security. ( The Team's contact details are at www.ucl.ac.uk/cert )
work of the CST involves the handling of sensitive information,
disclosure of which may be harmful to UCL's reputation and/or
interests. CST staff are responsible for the safe handling of such
When considering the operational framework of the CST, the Internal Audit report stated:
4.1.2 The CST exists to improve the security of UCL's information infrastructure and to minimise the risk of damage caused by unauthorised use. The CST provides the following services to the UCL community: incident handling, dissemination of security information, training and education, vulnerability assessment, consultancy and compliance checking.
4.1.3 Although the Information Security Policy confirms these responsibilities the CST does not have documented Terms of Reference to describe what their role is and therefore what contribution they should be making to improve the security of UCL's IT infrastructure
4.1.4 Without clarity over the role and responsibilities of the CST there is a risk that gaps could be left in the IT security framework, or assumptions could be made about the assurance to be provided by the CST which could result in a failure to raise genuine concerns about security: it is also possible that the CST could either exceed their level of authority, or be given inadequate authority to conduct their work e.g. by being denied access to security related information."